diff options
author | Rina Fujino <18257209+rina23q@users.noreply.github.com> | 2021-09-21 09:50:40 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-21 09:50:40 +0200 |
commit | f55798a44456206d9beb31114d5b731ae74b50d1 (patch) | |
tree | a835f65977e0bcfe63a35e80ebf21d97f29edb8e | |
parent | f0c0ce160a2b191d72a30c5a97056dbb2a797837 (diff) |
[CIT-577] Update postinst script of tedge-agent (#436)
* [CIT-577] Update postinst script of tedge-agent
- tedge-agent can execute other plugins than apt
Signed-off-by: Rina Fujino <18257209+rina23q@users.noreply.github.com>
* [CIT-471] Add tests part 1
Signed-off-by: Rina Fujino <18257209+rina23q@users.noreply.github.com>
-rw-r--r-- | configuration/debian/tedge_agent/postinst | 4 | ||||
-rw-r--r-- | tests/PySys/tedge_agent_user_sudo_access/pysystest.xml | 25 | ||||
-rw-r--r-- | tests/PySys/tedge_agent_user_sudo_access/run.py | 58 |
3 files changed, 85 insertions, 2 deletions
diff --git a/configuration/debian/tedge_agent/postinst b/configuration/debian/tedge_agent/postinst index 62df6779..437dc09f 100644 --- a/configuration/debian/tedge_agent/postinst +++ b/configuration/debian/tedge_agent/postinst @@ -13,10 +13,10 @@ if ! getent passwd tedge-agent > /dev/null; then fi ### Create file in /etc/sudoers.d directory -echo "%tedge-agent ALL = (ALL) NOPASSWD: /etc/tedge/sm-plugins/apt" > /etc/sudoers.d/tedge-agent +echo "%tedge-agent ALL = (ALL) NOPASSWD: /etc/tedge/sm-plugins/[a-zA-Z0-9]*" > /etc/sudoers.d/tedge-agent if [ -f "/etc/sudoers.d/010_pi-nopasswd" ]; then - echo "%tedge-agent ALL = (ALL) NOPASSWD: /etc/tedge/sm-plugins/apt" > /etc/sudoers.d/tedge-agent-nopasswd + echo "%tedge-agent ALL = (ALL) NOPASSWD: /etc/tedge/sm-plugins/[a-zA-Z0-9]*" > /etc/sudoers.d/tedge-agent-nopasswd fi # create /etc/tedge/.agent directory diff --git a/tests/PySys/tedge_agent_user_sudo_access/pysystest.xml b/tests/PySys/tedge_agent_user_sudo_access/pysystest.xml new file mode 100644 index 00000000..bc9c13e5 --- /dev/null +++ b/tests/PySys/tedge_agent_user_sudo_access/pysystest.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<pysystest type="auto"> + + <description> + <title>Validate tedge-agent user has a limited sudo right</title> + <purpose><![CDATA[ +]]> + </purpose> + </description> + <classification> + <groups inherit="true"> + <group></group> + </groups> + <modes inherit="true"> + </modes> + </classification> + <data> + <class name="TedgeAgentUserSudoAccess" module="run"/> + </data> + <traceability> + <requirements> + <requirement id=""/> + </requirements> + </traceability> +</pysystest> diff --git a/tests/PySys/tedge_agent_user_sudo_access/run.py b/tests/PySys/tedge_agent_user_sudo_access/run.py new file mode 100644 index 00000000..2fea6ba6 --- /dev/null +++ b/tests/PySys/tedge_agent_user_sudo_access/run.py @@ -0,0 +1,58 @@ +import time +from pysys.basetest import BaseTest +import subprocess +from threading import Timer + +""" +Validate tedge-agent user has a limited sudo right + +Given tedge_apt_plugin and tedge_agent are installed +When we run plugin located in plugin directory as tedge-agent +Then a plugin is executed +When we run plugin located out of plugin directory as tedge-agent +Then a plugin is not executed +""" + + +class TedgeAgentUserSudoAccess(BaseTest): + + def setup(self): + self.sudo = "/usr/bin/sudo" + + self.log.info("Copy apt plugin 'deb'") + self.startProcess( + command=self.sudo, + arguments=["cp", "/etc/tedge/sm-plugins/apt", "/etc/tedge/sm-plugins/deb"], + stdouterr="copy_apt_plugin", + ) + self.addCleanupFunction(self.mycleanup) + + def execute(self): + proc1 = self.startProcess( + command=self.sudo, + arguments=["-u", "tedge-agent", self.sudo, "/etc/tedge/sm-plugins/apt"], + stdouterr="apt", + expectedExitStatus="==1", + ) + self.assertThat("value" + proc1.expectedExitStatus, value=proc1.exitStatus) + + proc2 = self.startProcess( + command=self.sudo, + arguments=["-u", "tedge-agent", self.sudo, "/etc/tedge/sm-plugins/deb"], + stdouterr="deb", + expectedExitStatus="==1", + ) + self.assertThat("value" + proc2.expectedExitStatus, value=proc2.exitStatus) + + # To Do + # vulnerability check + # sudo -u tedge-agent sudo /etc/tedge/sm-plugins/../../../bin/ls + # Must be asked a password of tedge-agent + + def mycleanup(self): + self.log.info("Remove the copied apt 'deb' plugin") + self.startProcess( + command=self.sudo, + arguments=["rm", "/etc/tedge/sm-plugins/deb"], + stdouterr="remove_copied_apt_plugin", + ) |